İCO. 


Information Commissioner's Office 


ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


[| Yes 


o pa 


Q2 If not, please specify where improvements could be made. 


Data Traceability 

Much of the consultation document concentrates on the first level of data sharing for example credit checking for a 
consumer transaction. Such first level data sharing relates to the direct service provision to consumers where 
several parties need to cooperate and exchange data in order to provide the service; or to enable the creation of 
an account with an age check or billing for example. 

However much doubtful practice occurs when data is passed on to 3rd parties who do not play a role in primary 
service provision for example data brokers. This is huge area of data exploitation which according to the Sunday 
Times Business Section 1st September Page 8 the global market for such trading is about £200 bn pa. 

In order to be able to exercise their Data Protection rights consumers need to be able to trace where their data 
has gone within this vast data sharing ecosystem and so traceability requirements and associated guidance for 
data sharing needs to be included. Further information on these requirements from the consumer perspective can 
be found in the Consumer Standards Representatives Privacy Guide on Data Sharing http://www.anec.eu/images/ 
Publications/position-papers/Digital/ANEC-ICT-2015-G-040.pdf sections 10, 11, 12 and 13 


Q3 Does the draft code cover the right issues about data sharing? 


O Yes 


See answer to Q2 as 
O No well as Q4 below 
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Q4 ___siIf no, what other issues would you like to be covered in it? 


On the issue of anonymisation: much anonymisation practice focuses on the removal of names while, from the 
definition of personal data, data sets may contain any number of technical identifiers that can lead to 
identifiability risks either from direct identification or indirectly through linking with other data. 


Requirements for undertaking identifiability and link-ability risk checks, and mitigation if risks are high, should 
be included in data sharing practices. 

Ref ICO web site: 

“personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an 
identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an 
identifier such as a name, an identification number, location data, an online identifier or to one or more factors 
specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural 
person”. 


Q5 Does the draft code contain the right level of detail? 


O Yes 


o No ——_ NO 


Q6 If no, in what areas should there be more detail within the draft 
code? 


Sharing of data bases that are open for general access ( for example as being proposed for Smart Cities ) 


Open data sets do not necessarily have predetermined purposes and so there is a need for guidance on 
access requests for data where the new purpose is stated so that legal basis for processing and sharing can 
be checked and data subject consent obtained if necessary. 


In other words such data sets should be generally available but only accessible when a legal basis has been 
established. 


Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation’s data sharing practices? 


O Yes 


D No —————< m _ > 
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Q8 If no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


An annex providing examples of data sharing records would be very helpful in providing a practical example 
that would allow the smaller organisation to get to grips with Data Protection data sharing. 


Attached to the NCF’s submission is our work in progress paper on data sharing records that we are 
developing 


Q9 Does the draft code provide enough clarity on good practice in data 


sharing? 
O Yes 
O No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 


Q11 Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


(| Yes no view from the NCF 


No 
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Q12 If no, in what way does the draft code fail to strike this balance? 
Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 
L No 
Q14 Please provide any further comments or suggestions you may have 
about the draft code. 
Q15 To what extent do you agree that the draft code is clear and easy 


a0 ü ü go 


understand? 

Strongly agree 

Agree for those who are already 
familiar with Data Protection law but 
Ag ree maybe needs a simplified version for 
; : SME’s 

Neither agree nor disagree 

Disagree 

Strongly disagree 
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Q1i6 Are you answering as: 


O An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


O An individual acting in a professional capacity 


LJ On behalf of an organisation 


O Other 


Please specify the name of your organisation: 


The National Consumer Federation 


Thank you for taking the time to share your views and experience. 


